Happy Birthday Morris!
Randy Abrams recently pointed out to me that today is the 20th anniversary of the Morris Worm. For all you kids out there who have no recollection of this event, I’ve just posted a blog at http://www.eset.com/threat-center/blog/?p=165 that recaps on the worm and includes some relevant references, but right now I want to expand on a thought I had while I was writing it.
The Morris worm was very much of its time. It was a proof of concept (actually of several concepts) item of malware that showed a certain interest in and knowledge of some vulnerabilities that were current at that time (mostly a fingerd buffer overflow exploit and a somewhat flaky implementation of sendmail debugging), and was clearly meant to be self-launching. Most current malware, while it may well use drive-by downloads and other exploits, seems to use some form of social engineering. So maybe the earlier CHRISTMA EXEC worm was the real pioneer, with its mass mailing payload and its chainletter appeal to the gullibility of the victim. Well, we can draw dotted lines between old and new malware from now to Christmas, which is the sort of thing that interests saddos like me but doesn’t necessarily gain us much in terms of securing the internet.
Looking through some historical resources, it strikes me that there are some moments in malware history that not only define the time, but in some way draw a line under it, though Morris was followed by a copycat VMS worm the following year). After that, though, we waited quite a while for a real mass mailer epidemic and for the big network worms of this decade. Melissa managed to mark both the beginning of heavy duty mass mailers and the end (or at least the decline) of macro malware. Yet there are no full stops here. In 2008, we’re still seeing new(-ish) stuff cheek-by-jowl with the sort of malware we’ve mostly forgotten about: old-time boot sector viruses and new-age MBR rootkits; macro viruses and office suite exploits; overflows and drive-bys; and an endless loop of social engineering tricks (phishes, 419s, fake admin messages, fake codecs, fake updates…) The only really substantial change is the disappearance of the hobbyist hacker/malware author, promoted into full-blown cyber-criminality.
It seems that what we really need to patch is human nature: the evil gene, the greed gene, the careless gene, the “what’s a patch?” gene, the “I can click on anything because I have anti-virus software” gene…
David Harley CISSP FBCS CITP